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The  University  of  Alabama  in  Huntsville  appreciates  the  opportunity  to  support 
the  development  and  expansion  of  the  local  area  network  (LAN)  for  the  U.S 
Army’s  Software  Engineering  Directorate  (SED).  Our  involvement  in  the  earlier 
development  of  the  LAN  provides  us  with  a  unique  insight  into  the  SED  LAN 
and  its  users.  The  team  assembled  to  work  on  this  effort  was  thus  able  to 
provide  a  historical  perspective  on  technology  growth  that  few  others  could 
have. 

Part  of  the  analysis  of  a  computer  network  like  that  at  SED  involves  planning  for 
long  term  use.  This  includes  planning  for  new  equipment,  growth  in  services, 
and  smooth  transitions  to  new  technologies.  Planning  for  new  technologies 
involves  ensuring  that  they  can  be  migrated  from  the  center  of  the  network  (high¬ 
speed  communication  between  parts  of  the  network)  to  end  user  technology 
(connection  to  the  desktop)  as  the  core  of  the  network  is  upgraded  over  time. 

This  process  is  not  unlike  the  strategy  auto  manufacturers  use,  adding  a  new  top 
of  the  line  model  every  few  years,  dropping  the  lowest  end  model  at  the  same 
time.  Our  recommendations  for  high-speed  networking  stem  from  an  analysis  of 
the  long-term  growth  potential  of  new  technologies  and  the  (in)  appropriateness 
of  upgrading  end  user  connectivity  in  the  short  term. 
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LQ  Introduction 


1.0  INTRODUCTION 


This  is  the  final  report  for  Delivery  Order  (D.O.)  9,  “F/DOD/ARMY/AMCOM/ 
Computer  Network  Security  and  Directory  Services  Architecture.”  As  such,  it 
represents  the  collective  effort  of  six  UAH  employees,  together  called  the  ‘SED 
Support  Center  Team,’  or  simply  the  ‘Support  Center’,  over  the  course  often 
months. 

This  report  details  the  activities  related  to  the  various  tasks  in  the  D.O.  and  is 
arranged  by  task  within  section  2.  Section  3  summarizes  the  activities  and 
recommendations  of  the  Support  Center.  A  list  of  items  purchased  on  this  D.O. 
is  included  in  appendix  A. 
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2.0  ACTIVITY 
REPORTS 

The  following  sections  cover  the  various  tasks  in  the  D.O.  The  relevant 
activities  for  each  item  are  summarized  within  the  appropriate  section.  Each 
section  opens  with  the  text  from  the  Statement  of  Work  (SOW),  detailing  the 
requirements  for  that  particular  area  of  effort;  this  provides  the  context  for  the 
activities  performed. 


2. 1  Directory  Service  Research  architectural  and  equipment  issues  related  to  the 

Synchronization  implementation  of  a  synchronized  directory  service.  Consideration 

shall  be  given  to  the  current  Email  structure,  the  Directorate  database, 
the  impact  of  Defense  Messaging  System  (DMS)  compliance,  and  the 
use  ofX.500  directory  services.  Implement  and  test  candidate 
solutions. 

The  task  of  synchronizing  email  directories  has  become  a  priority  both  here  at 
the  SED  and  on  the  Redstone  Arsenal  as  a  whole.  The  Command  Group  has 
been  pushing  for  a  unified  email  directory  system,  and  has  mandated  that  all  the 
email  servers  on  the  Arsenal  migrate  to  Microsoft  Exchange.  In  addition,  many 
SED  users  have  asked  for  visibility  to  the  email  directory  for  the  entire  Redstone 
Arsenal.  But  while  having  an  Arsenal-wide  directory  is  a  clear  advantage  to  the 
user,  for  the  system  administrator  it  can  be  very  difficult.  Directory  information 
changes  on  a  daily  basis  for  an  organization  the  size  of  the  Redstone  Arsenal. 
Keeping  all  the  directories  up  to  date  is  monumental  task,  especially  when  so 
many  different  email  systems  and  servers  are  being  employed.  During  this 
delivery  order  the  SED  network  support  group  studied  and  implemented  a 
number  of  directory  services  for  our  users.  The  SED  Exchange  server  was  also 
readied  for  integration  with  the  Redstone  Arsenal  servers. 

The  Exchange  Move  Server  Wizard  The  Exchange  Move  Server  Wizard  is  a  key  component  in  directory 

synchronization  efforts  involving  the  Microsoft  Exchange  email  system.  When 
Microsoft  Exchange  is  initially  installed  on  a  server,  the  administrator  must 
specify  the  organization  and  site  name  for  the  system.  These  names  are  used  to 
describe  a  hierarchy  of  Exchange  servers.  For  years  after  Exchange  Server  was 
first  published,  there  was  no  way  to  change  the  organization  and  site  names  once 
they  had  been  set.  The  only  method  for  alternative  was  to  completely  remove 
and  reinstall  the  Exchange  server  with  the  new  org.  and  site  name.  All  data  on 
the  old  server  would  be  removed  along  with  the  server,  and  putting  it  back  in 
place  after  the  server  was  reloaded  was  very  difficult.  Since  then,  Microsoft 
published  the  “Exchange  Move  Server  Wizard.”  This  program  allows  existing 
Exchange  servers  to  change  organizations  or  sites  with  minimal  impact  to  the 
users.  Even  this  tool  has  its  problems  however. 
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Figure  1:  Exchange  Directory  Hierarchy 
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Problems  with  the  Move  Server  Wizard 

The  Exchange  server  organization  and  site  names  were  not  designed  with  change 
in  mind.  To  change  the  server  name  —  even  with  the  correct  tools  —  requires  a 
good  deal  of  work  on  the  part  of  the  system  operators,  and  damages  parts  of  both 
the  server  and  the  client  in  the  process.  For  example: 

1)  Most  of  the  personal  address  books  of  the  client  machines  break  and  cannot 
be  repaired.  The  broken  address  book  entries  have  to  be  deleted  and 
recreated. 

2)  Any  server-side  mail  routing  rules  break  and  cannot  be  repaired.  Like  the 
address  book  entries,  they  must  be  deleted  and  recreated.  In  addition,  the 
newly  created  rules  cannot  be  modified  after  they  have  been  created. 

3)  All  public  folders  and  mail  connectors  must  be  removed  from  the  server 
before  the  move,  and  recreated  afterwards.  The  contents  of  these  folders 
must  be  stored  elsewhere  while  the  move  is  proceeding.  Also,  the 
permissions  on  each  folder  and  settings  for  each  connector  must  be  written 
down  so  that  they  can  be  restored  when  the  items  are  recreated. 

4)  The  move  server  wizard  rewrites  all  tfie  X.400  and  X.500  email  addresses  in 
the  organization  and  if  the  server  name  has  changed,  all  the  SMTP  addresses 
as  well.  The  rewriting  rules  are  rudimentary  and  cannot  be  adjusted  by  the 
user.  The  result  is  that  in  many  cases  the  email  addresses  for  the  entire 
organization  must  be  reworked  by  hand  after  the  move  is  complete. 


3 


2.0  Activity  Reports 


The  Exchange  X.400  Connector 


The  LDAP  Extension  for  Outlook 


This  begs  the  question,  “Why  would  anyone  want  to  move  an  Exchange  Server?” 
The  reason  is  connectivity.  Only  when  two  Exchange  servers  are  in  the  same 
organization  can  they  connect  with  each  other  using  a  “site  connector,”  also 
known  as  an  “Exchange  connector.”  The  site  connector  is  the  fastest,  most 
relisble  email  transfer  method  available  to  Exchange  server.  Not  only  does  it 
transport  email  messages,  it  also  shares  directory  information  between  servers  so 
that  they  function  as  one  logical  unit.  It  is  often  worth  the  difficulty  of  moving  a 
server  to  achieve  the  connectivity  of  the  Exchange  site  connector.  Also,  using 
the  move  server  wizard  is  still  much  more  efficient  than  reinstalling  Exchange. 

The  Exchange  X.400  connector  comes  with  the  Enterprise  version  of  Exchange, 
and  offers  a  second  connectivity  option  outside  of  the  Exchange  site  connector. 
The  X.400  connector  has  many  of  the  same  advantages  as  the  Exchange 
connector.  It  provides  a  direct  path  for  email  between  two  servers,  and  can 
synchronize  the  directory  information  between  two  or  more  servers.  Messages 
sent  and  received  using  an  X.400  connector  must  be  converted  to  X.400  format 
and  back,  making  the  connector  somewhat  less  efficient  than  the  Exchange 
connector.  The  advantage  of  the  X.400  connector  is  that  it  can  connect  the 
Exchange  system  to  other  non-Exchange  email  systems  that  also  use  X.400. 

Problems  with  the  X.400  connector 

The  network  support  team  tested  the  X.400  connector  looking  for 
possible  alternatives  to  the  Exchange  connector.  It  was  feared  that  the  Exchange 
connector  would  give  control  of  the  entire  organizational  directory  structure  to 
all  servers  within  the  organization.  Since  the  different  servers  in  the 
organization  are  managed  by  different  groups  of  administrators,  this  could  cause 
problems.  The  X.400  connector,  it  was  thought,  would  reduce  the  possibility  of 
system  administrators  of  different  systems  creating  problems  on  the  servers  that 
were  not  their  own.  During  the  course  of  testing  however,  this  assumption 
proved  false.  While  it  is  true  that  only  a  very  limited  amount  of  administrative 
access  is  allowed  across  the  Exchange  X.400  connector,  apparently  what  access 
there  is,  is  flawed  and  can  cause  serious  problems.  Furthermore,  it  was 
discovered  that  the  regular  Exchange  site  connector  could  be  implemented  with 
administrative  access  controls  that  prevent  administrators  of  remote  systems 
from  changing  the  local  one. 

Some  of  the  users  at  the  SED  had  an  immediate  need  for  directory  access  to 
other  email  systems  on  the  Redstone  Arsenal.  Since  moving  a  server  takes  so 
much  time  and  effort,  these  users  needed  a  stop-gap  solution  for  directory  access. 
The  Microsoft  LDAP  directory  connector  offered  them  just  what  they  needed. 

LDAP  is  an  acronym  for  “Lightweight  Directory  Access  Protocol.”  It  is  an  open 
standard,  and  thus  provides  simple  way  for  servers  to  share  directory  information 
with  non-proprietary  clients.  The  Microsoft  Exchange  Internet  mail  connector 
provides  LDAP  services  by  default,  even  though  the  Exchange  and  Outlook 
clients  cannot  access  this  information.  However,  Microsoft  has  written  an 
LDAP  extension  for  Outlook  that  allows  it  to  read  LDAP  directories.  The 
extension  installs  as  a  service,  and  integrates  with  the  regular  address  book 
features  of  Outlook. 
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Problems  with  the  LDAP  Extension 

The  only  problem  with  the  LDAP  extension  for  Outlook  was  its  awkwardness 
for  the  users.  Although  the  extension  integrates  with  the  Outlook  address  book, 
it  does  not  give  the  user  direct  visibility  to  the  addresses  of  the  server  it  points  to. 
Instead,  when  a  user  selects  the  LDAP  connector  he  or  she  sees  a  blank  address 
book  and  must  perform  a  search  to  find  any  information.  This  is  counter¬ 
intuitive  for  most  users.  It  also  means  that  it  is  very  difficult  to  find  certain  kinds 
of  information  in  the  directory. 

Moving  the  Server  At  the  beginning  of  this  delivery  order,  the  Exchange  server  at  the  SED  was 

running  on  a  machine  named  “Susie”,  a  quad-processor  Alpha  Server  2100.  The 
organization  name  for  this  installation  was  “SED”  and  the  site  name  was 
“Building  6260”.  Under  the  new  regulations1  passed  down  to  us  by  the 
AMCOM  commander,  this  naming  convention  had  to  be  changed.  The  new 
organization  name  would  have  to  be  “ORGANIZATION”.  The  machine  name 
and  site  name  would  also  have  to  be  changed.  New  hardware  (an  Alpha  Server 
4100)  had  been  purchased  to  host  the  SED  Exchange  server  so  the  decision  was 
made  to  change  all  the  directory  names  as  the  transition  to  the  new  hardware 
took  place. 

Preparations  for  the  server  move 

To  prepare  for  the  move  to  the  new  server,  the  new  server  hardware  was  set  up 
and  tested.  The  operating  system  (Windows  NT  4.0)  and  Microsoft  Exchange 
5.5  had  to  be  installed  on  the  new  hardware  platform,  along  with  the  latest 
service  packs  for  each  and  the  “Move  Server  Wizard”  for  Exchange.  Also,  the 
tape  backup  system  on  the  new  machine  had  to  be  installed,  configured,  and 
tested.  The  Exchange  system  was  set  up  under  the  old  “SED”  organization  and 
connected  to  the  existing  Exchange  server  “SUSIE”.  The  new  server  was 
christened  “SEDEXCH1”.  The  connection  between  SEDEXCH1  and  SUSIE 
would  later  allow  all  the  account  information  and  stored  mail  from  SUSIE  to  be 
moved  to  SEDEXCH1  automatically. 

Test  accounts  were  created  on  SEDEXCH1  to  verify  that  delivery  of  mail  would 
be  uninterrupted  when  the  actual  mass  migration  was  performed.  After 
preliminary  testing  was  complete,  several  of  the  active  Network  Support 
accounts  were  moved  to  the  new  server.  The  network  support  team  used  the 
server  for  several  weeks  to  test  its  reliability.  It  was  discovered  that  when  an 
account  was  moved  to  the  new  server,  several  small  changes  had  to  be  made  on 
the  client  side  to  enable  the  user  to  continue  receiving  mail.  These  changes 
would  have  to  be  made  on  every  single  client  machine  at  the  SED  -  over  400 
machines  at  the  time.  Since  the  SED  does  not  have  any  kind  of  end-node 
management  software  installed  on  the  clients,  the  changes  would  have  to  be 
made  by  hand.  However,  the  changes  were  simple  enough  that  the  average  user 
could  make  them  if  properly  instructed.  ATa  result,  a  web  page  was  written 
explaining  how  to  update  a  client  machine  to  receive  mail  from  the  new  server. 


1  AMCOM  regulation  number  25-15,  “Information  Management  -  Management, 
Protection  and  Use  of  Federal  Communications  Resources.” 
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A  week  before  the  migration,  an  email  was  sent  to  all  the  Exchange  users 
explaining  the  server  migration  and  referring  them  to  the  web  site.  The  same 
email  was  sent  again,  as  a  reminder,  on  the  day  before  the  migration  began. 

The  server  migration  itself  was  done  over  a  weekend.  The  following  tasks  were 
performed: 

1)  A  full  backup  of  the  entire  email  system  was  made,  including  both  the 
system  and  data  disks.  Backups  were  verified  for  accuracy. 

2)  All  the  users  from  the  old  Exchange  system  were  re-homed  to  the  new 
Exchange  server.  This  automatically  moved  all  their  email  to  the  new 
server. 

3)  The  settings  for  the  Internet  mail  connector,  and  all  public  folders  were 
recorded  on  paper  so  they  could  be  restored  after  the  move. 

4)  The  contents  of  each  public  folders  were  temporarily  stored  in  a  personal 
storage  file  (a  “.pst”  file)  so  they  could  be  restored  after  the  move. 

5)  The  Internet  Mail  Connector  and  all  public  folders  were  deleted. 

6)  The  connection  between  the  two  email  servers  was  severed,  and  the  old  mail 
server  was  powered  off. 

7)  The  Move  Server  Wizard  was  run  on  the  new  email  server,  and  the  new 
organization  name  (“ORGANIZATION”)  and  site  name  (“SED”)  were  set. 

8)  The  Internet  mail  connector  was  re-installed  on  the  new  server,  and 
reconfigured. 

9)  All  the  public  folders  were  re-created,  and  their  settings  and  contents  were 
restored. 

Results  of  the  server  move 

The  server  move  was  time  consuming,  but  went  relatively  smoothly.  The  most 
time  consuming  part  was  dealing  with  the  public  folder  contents  and  security 
settings.  In  spite  of  the  advanced  warning  that  the  SED  user  community 
received,  many  of  them  still  forgot  that  the  server  move  was  scheduled  to  occur 
and  called  the  helpdesk  on  Monday  morning  after  the  move.  Others  had 
problems  following  the  update  instructions  on  the  web  page.  Fortunately 
however,  the  majority  of  the  SED  users  were  able  to  update  their  own  clients,  as 
was  hoped.  Several  small,  unanticipated  problems  arose  after  the  migration: 

1)  Some  users  who  connected  to  the  server  over  a  dial-up  connection  had 
problems  with  their  offline  store  (.OST)  file.  The  .OST  problem  only 
occurred  on  machines  which  were  (1)  configured  to  access  the  Exchange 
server  directly  (i.e.,  using  the  “Microsoft  Exchange  Server”  service,  not  the 
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Internet  mail  service)  and  (2)  accessing  the  Exchange  server  using  “remote 
mail”  via  a  dial-in  connection. 

2)  A  number  of  the  users  on  the  old  email  system  had  been  giving  people  their 
^server-specific  address,  “usemame@susie.sed.redstone.army.mir  When 
they  were  moved  to  the  new  server,  they  could  no  longer  receive  mail  at  this 
address.  The  problem  was  dealt  with  simply  by  informing  the  users  and 
through  them,  their  contacts  of  the  correct  email  address. 

Current  Implementation  Currently,  the  new  email  server  is  currently  in  full-time  production.  The  system 

has  almost  500  users,  and  does  not  show  any  sign  of  overloading  or  bandwidth 
problems.  The  user  community  is  pleased  with  the  service  they  are  receiving, 
almost  without  exception.  The  problem  now  is  the  politics  between 
organizations  on  the  Redstone  Arsenal.  The  server  was  originally  moved  to  the 
org.  name  “organization”  so  that  it  would  comply  with  the  naming  conventions 
passed  down  to  us  by  AMCOM,  and  so  that  we  could  establish  a  connector 
between  our  server  and  the  one  at  Redstone’s  Corporate  Information  Center 
(CIC).  Before  the  server  move  began,  it  was  understood  that  this  would  not  be  a 
problem.  However,  by  the  time  the  server  move  was  complete,  the  policy  had 
changed,  and  currently  no  one  is  allowed  to  connect  to  the  CIC  email  servers. 
Even  so,  the  server  move  has  not  been  a  waste  of  time.  The  new  server  is  faster 
than  the  old  one,  and  the  new  organization  name  is  still  mandated  by  the 
AMCOM  policy.  It  is  unfortunate  that  the  directory  synchronization  will  have  to 
be  done  without  the  MS  Exchange  connection,  however.  An  Exchange 
connection  is  being  negotiated  with  AMRDEC,  the  parent  organization  to  the 
SED.  It  is  hoped  that  AMRDEC  will  be  able  to  get  a  connection  to  CIC  before 
long,  so  that  the  Redstone  directories  can  be  synchronized  through  them. 


2.2  Web-based  Directory  Research  architectural  and  security  issues  related  to  adding  directory 

Services  services  access  via  World  Wide  Web  (WWW)  browsers  to  existing 

WWW  architecture.  An  architectural  security  model  shall  be  developed 
to  address  provisions  for  controlling  access  to  some  information  while 
making  other  information  publicly  available.  Implement  and  test 
candidate  solutions. 

There  are  two  directories  maintained  at  the  SED.  One  is  the  employee/telephone 
directory;  the  other  is  the  email  directory.  The  employee  directory  is  kept  in  an 
Oracle  database,  while  the  email  directory  is  (of  course)  kept  in  on  the  email 
server,  in  it  s  own  database.  By  default,  neither  one  of  these  databases  is 
internet-accessible,  or  viewable  with  a  web  browser.  But  web-based 
accessibility  has  become  important  to  so  many  people  that  database  software 
companies  have  made  web  accessibility  much  easier  to  achieve.  This  is  true  of 
both  of  the  database  systems  mentioned  above.  Microsoft  has  provided  a  web- 
mail  interface  for  Exchange  server  that  allows  users  not  only  to  view  email 
directory  information,  but  also  to  send  andTeceive  email,  and  use  other 
Exchange  services.  The  Oracle  Corp.  also  provides  well-developed  tools  for 
publishing  database  information  on  the  Inter-  or  intranet.  The  task  of  the 
network  support  group  is  to  implement  the  web  publishing  systems  and  the 
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Initial  Conditions 


Background 


security  systems  to  insure  that  only  authorized  people  will  have  access  to  the 
published  information. 

The  administrator  who  manages  the  Oracle  database  at  the  SED  is  not  part  of  the 
regular  network  support  group.  Because  of  this,  most  of  the  responsibility  for 
implementing  the  web  interface  for  the  SED  telephone  directory  has  fallen 
outside  the  team.  As  a  result,  the  Network  Support  Team  primarily  deals  with 
three  different  areas  in  web  directory  publishing:  Synchronizing  the  information 
in  the  two  SED  databases  and  the  other  Redstone  email  system,  publishing  the 
email  system  directory  for  the  SED  users,  and  securing  both  systems  against 
possible  misuse. 

The  initial  implementation  of  web-mail  occurred  before  this  delivery  order,  but  it 
was  not  made  available  on  a  production  scale  because  it  was  not  secure. 

Although  usernames  and  passwords  are  required  before  a  web-mail  user  can 
access  any  sensitive  information,  the  default  web  interface  does  not  encrypt  the 
login  authentication  process.  As  a  result,  someone  with  a  network  protocol 
analyzer  could  have  easily  discovered  the  authentication  information  for  our 
customers  who  use  web-mail.  As  a  result,  the  initial  implementation  of  web-mail 
was  limited  (with  IP  address  filters)  to  use  by  people  within  the  SED  LAN.  Of 
course,  this  made  the  web-mail  implementation  almost  useless  since  everyone  on 
the  SED  LAN  had  better  email  clients  than  were  offered  through  the  web 
interface.  However,  it  did  give  the  network  team  a  good  opportunity  to  test  and 
tune  the  system,  and  it  provided  an  additional  access  method  for  users  who 
dialed  directly  into  the  SED  network  with  a  modem. 

During  this  delivery  order,  software  was  installed  on  the  SED  Exchange  server 
to  allow  it  to  offer  encrypted  web  pages  using  SSL.  The  SSL  software  used 
comes  with  the  Microsoft  Internet  Information  Server  and  Management  Console. 
In  order  to  use  SSL  on  a  web  server,  the  server  must  be  registered  with  a 
certificate  server.  The  certificate  server  provides  the  web  server  with  a  source  of 
authority,  so  that  clients  can  verify  the  identity  of  the  server,  and  trust  the 
content  received  from  the  server.  To  initiate  the  connection,  the  web  server  must 
send  a  key  request  to  the  certificate  server.  This  key  is  generated  by  the  system 
administrator,  and  sent  to  the  administrator  of  the  certificate  server.  After  the 
web  server’s  identity  is  confirmed,  a  certificate  is  returned  to  the  web  server. 

The  certificate  is  a  digitally  signed  document  containing  the  certificate  server’s 
public  key  and  certain  connection  parameters.  The  certificate  is  stored  on  the 
web  server  by  the  administrator  and  configured  to  operate  with  specific  network 
services.  This  allows  the  web  server  to  prove  its  identity  to  any  client  that 
connects  to  these  services. 

When  a  client  connects  to  a  web  server  running  SSL,  it  negotiates  the 
connection,  verifies  the  identity  of  the  server  it  has  connected  to,  and  then 
establishes  a  symmetric  cryptographic  key  that  will  be  used  to  encrypt  whatever 
data  the  client  sends  or  receives.  Using  SSL  on  the  SED  web  mail  server 
strengthens  the  security  of  our  web  mail  system  in  several  ways: 

1.  Privacy.  The  128-bit  encryption  used  on  the  SED  server  provides  a 
reasonable  level  of  privacy.  This  is  especially  important  because  users 
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submit  passwords  across  the  network  in  order  to  log  onto  the  email 
system.  Also,  the  email  messages  and  directory  data  sent  to  the  client 
contain  sensitive  information  that  must  be  protected. 

2.  Authentication  and  data  integrity.  SSL  provides  a  way  for  the  client 
to  verily  that  the  server  is  actually  the  machine  it  claims  to  be,  and  that 
the  data  it  sends  has  not  been  tampered  with.  This  is  important  on  the 
Internet,  since  it  is  not  difficult  to  set  up  one  computer  to  masquerade  as 
another. 

The  following  steps  were  taken  to  install  SSL  on  the  SED  web  mail  server: 

1.  Install  the  current  version  of  web  mail.  This  was  done  concurrently  with 
the  server  move.  Patches  and  updates  also  had  to  be  installed. 

2.  Request  an  SSL  certificate  from  the  approved  authority  for  government 
web  servers. 

3.  After  receiving  the  certificate,  install  it  on  the  SED  web  mail  server,  and 
configure  it  to  run  on  the  proper  ports  and  web  pages. 

4.  Modify  the  web  mail  pages  so  that  the  SSL  session  will  be  established 
before  the  login  authentication  takes  place 

5.  Modify  the  web  server  configuration  so  that  (1)  web  mail  could  not  run 
unless  it  was  encrypted,  and  (2)  users  would  automatically  be  connected 
to  the  secure  sockets  port  when  they  connected  to  the  server. 

6.  Register  the  web  mail  server  with  Redstone’s  Corporate  Information 
Center. 

After  these  steps  were  taken,  the  web  mail  system  was  put  into  production.  In 
order  to  minimize  the  risk  of  unauthorized  access  to  the  system,  all  users 
accounts  were  initially  set  to  deny  access  to  the  web  mail  system.  Then,  as  users 
requested  web  mail  service,  they  were  allowed  in  one  at  a  time.  This  policy 
remains  still  in  effect. 

Today  the  SED  web  mail  system  is  an  integral  part  of  the  network  infrastructure. 
Very  few  problems  were  encountered  while  implementing  this  system,  and  it  is 
hoped  that  it  will  continue  to  provide  the  SED  users  will  remote  access  to  email 
and  directory  information  for  years  to  come. 


9 


2jO  Activity,  Reports 


2.3  Network  Monitoring 


Research  solutions  to  provide  for  computer  network  monitoring  to 
include  error  detection/recovery  and  considering  network  security 
vulnerability  issues.  Implement  and  test  candidate  solutions. 


Security  Regulations  on  Monitoring  Army  Regulation  380-19  specifies  what  users  are  allowed  to  do  with  Govt. 

resources,  including  the  Internet.  There  are  numerous  products  that  allow  us  to 
monitor  this  Internet  traffic  for  enforcement.  However,  there  is  another  group 
currently  running  the  Redstone  Arsenal  Campus  network  that  has  full  monitoring 
functionality  set  up  over  the  entire  campus.  Currently  there  is  no  need  for  us  to 
duplicate  this  monitoring  on  the  local  level.  Any  incidents  that  are  reported  by 
the  campus  group  are  then  tracked  and  handle  at  the  directorate  level. 

Tools  Available  Expansion  plans  for  the  SED  network  include  upgrading  to  Fast  Ethernet  to  the 
desktop.  When  this  happens  there  will  be  no  monitoring  capability  for  the  Fast 
Ethernet  because  none  of  the  current  Sniffer  products  can  monitor  at  Fast 
Ethernet  speed.  Newer  versions  include  the  capability  of  monitoring  up  to 
Gigabit  speeds.  As  the  new  network  comes  online,  analysis  will  be  made  of 
current  technologies  to  choose  from  what  is  available  at  the  time.  Trying  to 
make  any  decisions  at  this  time  is  futile  due  to  the  volatility  of  available 
products. 

We  are  also  looking  at  modules  that  will  integrate  into  the  new  network  which 
allow  on  the  fly  SNMP  and  RMON  traffic  monitoring  for  analysis.  These  tools 
will  allow  us  to  redirect  all  traffic  from  a  specific  port  to  this  module  and 
analyze  the  traffic  from  there. 

Implementation  of  Tools  ClearVISN,  a  management  utility  created  by  Digital  Equipment  Corporation, 

gives  the  ability  to  manage  all  network  equipment  via  a  graphical  utility  from  a 
single  workstation.  ClearVISN  is  a  policy  based  network  management  product 
that  allows  SNMP  configuration  for  all  DEC  hub  based  products,  including 
switches  and  VLAN  (virtual  LAN)  management.  This  also  includes  firmware 
upgrades  to  almost  al  modules. 

We  have  also  installed  CiscoWorks  2000,  an  SNMP  Web  based  products  used 
for  management  of  the  Cisco  modules  on  the  new  network.  This  product  allows 
for  monitoring  and  configuration  management  of  all  Cisco  products  within  our 
control,  greatly  simplifying  management. 


2.4  Operational 
Network  Support 


Provide  operational  computer  network  systems  support.  Operational 
support  consists  of  providing  solutions  to  network  problems ,  collecting 
information  on  network  status  and  utilization ,  testing  for  network 
vulnerabilities ,  and  investigating  millennium  date  change  (Y2K) 
impact . 


The  total  number  of  requests  that  the  Support  Center  has  processed  during  the 
period  of  performance  of  this  Delivery  Order  is  approximately  1600  -  1800. 
Extrapolating  that  to  one  year’s  time  (accounting  for  an  increase  in  requests  over 
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time)  we  estimate  that  over  2000  requests  were  serviced  in  a  year’s  time.  This 
number  is  very  significant  when  you  consider  the  fact  that  the  Support  Center 
does  not  actively  advertised  its  existence  to  the  SED  community.  Both  the 
Support  Center  staff  and  the  Army  technical  monitor  agreed  at  the  beginning  of 
this  project  that  the  Support  Center  was  significantly  understaffed  to  handle  the 
support  needs  of  the  entire  SED  community. 


A  more  accurate  total  number  of  requests  serviced,  along  with  service  times  and 
other  typical  statistics,  is  difficult  to  arrive  at  because  every  problem  handled 
was  not  logged.  It  is  recommended  that  multi-user  software  be  purchased  or 
developed  in  the  near  future  to  provide  more  detailed  problem  tracking  and 
reporting  abilities. 

Examples  of  service: 

•  Adding  and  configuring  our  IP  subnets  (now  have  1280  internet  addresses 
of  which  about  1050  are  used,  increasing  at  the  rate  of  about  15  per  month) 

•  Resolve  address  conflicts,  notably  IP 

•  Activate  and  deactivate  serial  ports  in  offices 

•  Add  thinnet  and/or  lObT  ports  to  offices 

•  Reroute  and  extend  the  building  network  in  the  high  bay  area 

•  Troubleshoot  network  connection  problems  on  computers  running 
Windows 

•  Troubleshoot  PC,  Mac,  Sun,  VAX  problems,  both  hardware  and  software 
related  ("My  ...  won't  work.") 

•  Manage  name  server  entries 

•  Assist  user  with  Microsoft  Exchange  Problems 

•  Install  of  network  software  on  various  PCs 

•  Numerous  forgotten  password  problems 

•  Accommodate  on  the  network  personnel  and  equipment  moves  within  SED 

•  Plan  for  expansion  of  service  team  and  bolstering  of  support  capabilities 

•  Monitor  and  protect  against  virus  attacks 

•  Monitor  and 

Protect  against  reported  hacker  and/or  denial-of-service  attacks 
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3.0  SUMMARY 

Directory  Service  Synchronization 


Web  Based  Directory  Services 


Network  Management 


Operational  Network  Support 


During  this  delivery  order  the  SED  network  support  group  studied  and 
implemented  a  number  of  directory  services  for  our  users.  The  SED  Exchange 
server  was  also  readied  for  integration  with  the  Redstone  Arsenal  servers. 

Initially,  the  LDAP  connector  for  Microsoft  Outlook  provided  the  user  with 
some  global  address  book  features  until  the  server  move  was  complete.  Moving 
the  server  was  a  delicate  task,  but  was  accomplished  with  minimal  impact  to  the 
user  community.  Several  methods  of  directory  integration  were  tested,  but  in  the 
end  a  political  problem  stopped  the  directory  integration  from  actually  taking 
place.  It  is  hoped  that  these  problems  will  be  resolved  soon  so  that  directory 
synchronization  can  take  place. 

Web  based  directory  services  were  provided  to  the  SED  user  community  through 
implementation  of  the  Microsoft  Exchange  server  web  mail  interface.  The 
primary  concern  in  this  implementation  was  to  provide  access  to  the  SED  email 
system  and  directory  without  compromising  security.  Data  encryption  was 
implemented  using  SSL  through  the  Internet  Information  Server,  and  applied  to 
the  SED  web  mail  pages.  Today  the  SED  web  mail  system  is  an  integral  part  of 
the  network  infrastructure.  Very  few  problems  were  encountered  while 
implementing  this  system,  and  it  is  hoped  that  it  will  continue  to  provide  the 
SED  users  will  remote  access  to  email  and  directory  information  for  years  to 
come. 

Hub  management  is  being  handled  Digital  Equipment  Corporation’s  (DEC) 
ClearVISN  network  management  software,  a  graphical  management  utility.  As 
DEC  equipment  is  the  primary  equipment  used  for  backbone  transport, 
ClearVISN  is  able  to  handle  management  of  almost  all  installed  equipment. 

The  Network  General  Sniffer  has  proved  to  be  an  invaluable  tool  in  monitoring 
both  the  Ethernet  and  FDDI  network  currently  in  place  at  SED.  With  a 
possibility  of  higher  traffic  speeds  in  the  future,  it  may  be  necessary  to  purchase 
another  Sniffer  version  capable  of  monitoring  this  faster  traffic  to  add  to  the  tool 
chest. 

Another  group  is  currently  handling  monitoring  of  Internet  traffic  at  the  campus 
level,  and  duplication  of  this  ability  is  not  necessary  at  the  local  level. 

The  Support  Center  has  processed  over  2000  total  help-desk  requests  during  the 
period  of  performance  of  this  D.O.  This  number  is  very  significant  when  you 
consider  the  fact  that  the  Support  Center  does  not  actively  advertise  its  existence 
to  the  SED  community,  as  well  as  the  current  staffing  level.  The  staffing  level  is 
currently  being  increased  to  accommodate  this  increased  support,  as  well  as  in 
preparation  for  the  SED  Annex  which  will  soon  be  operational. 


12 


APPENDIX  A:  Equipment  Purchased 


APPENDIX  A: 

Equipment  purchased 

The  following  items  were  purchased  on  this  Delivery  Order:2 

•  Test  Out!  Training  Guide  for  MS  NT4MCSE 

•  20  Microsoft  Exchange  Client  Access  Licenses  part  #381  -0085 1 

•  Windows  98  CD  (part  #  730-00001)  Full  Installation 

•  Windows  98  Plus  CD  (part  #320-00123) 

•  Visio  Professional  CD  5.0 

•  Crimpmaster  Frame  and  Dies  for  RJ-45  Crimp  Tool 

•  Crimpmaster  Replacement  Dies  for  Crimpmaster 

•  Cisco  IOS  and  Configuration  Manuals 

•  Digital  Pathworks  for  Open  VMS  Documentation  Package  Manufacturer 
Part  Number  QA-A93AA-GZ 

•  Microsoft  SQL  Server  7.0  Manufacturer  Part  Number  228-00328 

•  Cyan  Tektronix  Color  Sticks  for  Phaser  340  (016-1308-01) 

•  Magenta  Tektronix  Color  Sticks  for  Phaser  340  (016-1309-01) 

•  Yellow  Tektronix  Color  Sticks  for  Phaser  340  (016-1310-01) 

•  LN17EP  Toner  Cartridges  (LN17X-AA) 

•  Visio  Enterprise  Upgrade  from  Visio  Pro  (121345) 

•  Microsoft  TechNet  Academic  Single  Server  License  Unlimited  User 
Educational  (323-00258) 

•  Cisco  Networking  and  Configuration  Manuals  plus  "Mastering  Access  97" 

•  TFTPServer32  Version  3 


2  Single  quantity  purchases  were  made  unless  otherwise  indicated. 
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